What is the Cybersecurity Model Certification (CMMC)?

CMMC is a cybersecurity standard conceived by the U.S. Department of Defense to protect the Defense Industrial Base (DIB) from ubiquitous and pervasive cyber threats posed by a range of malicious actors. This new standard is intended to independently verify a DoD contractor's compliance status against the CMMC model and is set to replace the NIST SP 800-171 requirements. It is comprised of five different levels of cybersecurity maturity and is primarily designed to protect CDI, CUI, and FCI in "covered contractor information systems." Organizations seeking certification (OSC's) are required to obtain a certification from a third-party, private company known as Certified Third-Party Assessor Organization (C3PAO). These organizations must come on-sight to the requesting contractor's location and assess the contractor against the CMMC standard. Once the assessment is complete, the C3PAO then submits their assessment findings and observations to the CMMC Accreditation Body (CMMC-AB) for review and a final determination on the OSC's certification disposition. Organizations must recertify every three years.